We’re seeing an uptick in concerns surrounding the safeguarding of Protected Health Information (PHI). From alarming data breaches to inadvertent sharing of sensitive data with social media giants, the landscape of health data security is looking fairly hazardous.

For instance, a controversy involving Meta highlighted the excessive data captured by marketing pixels. PHI details, from medical conditions to allergy information, were shared more broadly than anyone anticipated.

When it comes to digital marketing, it may seem like healthcare organizations are in a pickle.

Today we’ll look specifically at Google Analytics and third-party tracking for healthcare organizations. How can you protect PHI while still empowering your marketing team to make data-driven decisions? Let’s find out.

Navigating the HIPAA Hokey Pokey 

If the notion of tracking on a healthcare site makes you sweat, you’re not alone. A 2023 Health Affairs study found third-party tracking on hospital and health system websites as cause for concern, citing patient privacy issues and legal liability. 

Regulations governing healthcare organizations haven’t evolved as quickly as digital tools and technologies, though many consumers assume they’re covered. As Standard Care CEO Ryan Stellar described to Axios, “People think of HIPAA as the federal government protecting my health care. What it actually is is an umbrella made of concrete with gaping holes in it.” 

What marketers need to know: HHS issued guidance on online tracking for HIPAA-covered entities following a string of high-profile violations in late 2022. We’ve highlighted some common scenarios below, but dig into this recap for more.

• “What about tracking pages behind log-in screens?” (User-authenticated pages) Our take: Risky. Only collect anonymous data or do not track.
  
• “What about tracking public webpages broadly accessible to anyone?” (unauthenticated users) Our take: Generally considered OK to track, but use caution.
  
• “What if public pages reference information related to a specific condition, scheduling for a specific clinic, and/or contain a form submission?” Our take: Exclude tracking, this could be used to associate health information with individuals.
  
• The age-old question: “Is Google Analytics HIPAA compliant?” Not out-of-the-box, but with modifications, yes.  

Google Analytics 4 (GA4) 

As of July 1, 2023, Google stopped processing standard Universal Analytics (UA) data and transitioned the remaining UA accounts to GA4. Here are a few key differences:

• UA is session-based while GA4 is event-based, leading to a shift from traditional hit types to a more unified concept of events.
• GA4 provides a more comprehensive view of user interactions by capturing any activity as an event.
• GA4 eliminates the category, action, and label taxonomy of UA, urging users to rethink their data collection strategies.
• Different approaches to sessions and active users between the two can result in variations in report data.

What Does This Mean for Healthcare Marketers?

Given the changes brought by GA4 and the implications of theHHS bulletin, healthcare marketers need to closely analyze their approach.

• Granular Data Collection
  • Challenge: GA4’s in-depth data collection may accidentally encompass PHI.
  • Solution: Limit granular data collection to necessary, non-personal information.
    
• Form Tracking
  • Challenge: GA4’s event-centric approach might capture PHI in form submissions.
  • Solution: Adjust form tracking to exclude PHI-containing fields; routinely check for compliance.
    
• Comprehensive Compliance Reviews
  • Challenge: The shifting compliance landscape, especially when transitioning to GA4.
  • Solution: Implement regular compliance reviews, updating GA4 settings to reflect the latest standards.
    
• Machine Learning Insights
  • Challenge: GA4’s predictive metrics might draw from PHI data points.
  • Solution: Exercise caution with machine learning insights, ensuring they don’t reference PHI-related data.

So, while GA4 gives us rich insights through its event-based tracking system, it needs to be implemented with caution. 

As long as we craft strategies that guard PHI and stay in sync with any directives, providers, and marketers can stay confident they’re building a framework grounded in trust and safety, nurturing a healthcare ecosystem respectful of individual privacy — while also crushing the marketing game.